Researchers discover flaws in SSO that leave websites vulnerable

A report prepared by the researchers cited poor integration by website developers of the application programming interfaces and a lack of end-to-end security checks as the reasons for the flaws.

“In this study, we discovered eight serious logic flaws in high-profile ID providers and relying party websites, such as OpenID (including Google ID and PayPal Access), Facebook, JanRain, Freelancer, FarmVille, Sears.com, etc. Every flaw allows an attacker to sign in as the victim user. We reported our findings to affected companies, and received their acknowledgements in various ways”, the researchers wrote in their report.

Although the flaws have been fixed by the affected companies, “this study shows that the overall security quality of SSO deployments seems worrisome”, they noted.

Commenting on the report, Steve Watts, cofounder of two-factor authentication (2FA) provider SecurEnvoy, said that the fact the security flaws were discovered in social networking sites such as Facebook and Twitter should raise alarm.

“The problem with SSO-based security is that it only authenticates the user when they actually log into the system concerned. And with nasties such as man-in-the-browser and plain text cookie intercepts becoming commonplace on both wireline and – in particular – wireless Internet connections, there is clearly a need for 2FA technology,” he said.